It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

8.3.4 Release Notes

  • Last updated on

As the CloudGen Firewall has evolved over the years with its increasing number of features, the Release Notes articles have grown accordingly. This, in turn, has also added greatly to the number of entries in the menu column.

To make the Release Notes articles easier to read, they are now equipped with support elements that provide a better overview of all sections contained while making it easier to navigate between and inside these sections.

Each of these sections can be expanded and collapsed separately to show only what you are interested in. Simply click below a header line to expand or collapse a section.

Note that depending on a certain release, the sections can vary both in content and number.  In addition, a headline may be followed by certain symbols with the following meaning:

red_warning_tiny.png Critical information to be considered.

yellow_warning_tiny.png Important information included in the section.

update_tiny.png Updated information available.

feature-related.png Product-related information, e.g., new features, solved bugs.

know_issues_tiny.png Product-related information that relates to known bugs.

Note that regular information boxes in blue are not explicitly marked in the headline but may still appear in a section.

Each section can be expanded individually for informational or printing purposes.

yellow_warning_tiny.png

Important Announcements and Notes for Release 8.3.4

Read this section before you continue with the Release Notes below.

End-of-Life and End-of-Support Status

For information on which devices and services have reached EoL or EoS, see:

update_tiny.png

General and Maintenance Information for the 8.3.4 Release Notes 

Firmware version 8.3.4 is a minor release.

Before installing the new firmware version:

Do not manually reboot your system at any time during the update unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes.

To keep our customers informed, the history of this Release Notes article, the "Known Issues" list (at the end of this article), and the release of hotfixes resolving these known issues are now updated regularly. If there are intermediate updates to this release, the corresponding notes can be found in this info box.

23.10.2024 – Release of firmware 8.3.4

Recommendations and Prerequisites for Running Firmware Release 8.3.4

Use the Appropriate Firewall Admin Release

Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release.

As of the public availability of firmware 8.3.4, Barracuda Networks recommends using at least Firewall Admin version 8.3.4. You can download this version here: https://dlportal.barracudanetworks.com/#/packages/5984/FirewallAdmin_8.3.4-38.exe.

Who Can Update to Firmware Release 8.3.4

Read the Migration Notes 8.3.4 before updating to firmware 8.3.4.

For more information on the migration process, see the article 8.3.4 Migration Notes.

yellow_warning_tiny.png

Update-Relevant Information for 8.3.4 

Special Step to Be Taken after Updating to Firmware 8.3.4

Due to a known issue (BNNGF-95350), the CC Event daemon refuses connections after updating to firmware 8.3.4.

After updating to firmware 8.3.4, restart the CC Event daemon manually!

Feature Removals

While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology.

Features that Are No Longer Included as of this Version 8.3.4

If you require one of the listed features, do not update to this firmware version!

Features that Will Become Obsolete in an Upcoming Release

If you are currently using one of the features listed below, consider planning to switch to an appropriate alternative.

Currently, there are no features planned for removal. However, Barracuda Networks recommends checking for this again in the newest 9.x.x release notes.

FW Audit

As of firmware 9.x, FW Audit is being discontinued. If you have been using FW Audit for reporting in the past, Barracuda Networks recommends using Barracuda Firewall Insights for advanced reporting instead.

Web-UI

As of firmware 9.x, support for the Web-UI is being discontinued.

SMSd

As of firmware 9.x, the SMSd is being discontinued.

WANopt

As of firmware 9.x, WANopt is being discontinued.

New Features in Version 8.3.4 

As a minor release, version 8.3.4 contains important fixes.

feature-related.png

Solved Bugs and Improvements in Release 8.3.4

Authentication
  • Memory leaks no longer occur in certain situations. [BNNGF-78803]

  • TS Agent and DC Client users are now synced properly between HA partners. [BNNGF-90958]

  • The authentication service now sends special characters correctly with the RADIUS authentication scheme. [BNNGF-90980]

  • Template admins no longer experience issues in connection with different admin-handler daemons. [BNNGF-90984]

Barracuda Firewall Admin
  • Disabling Force regular password change for CC Admins now works as expected. [BNNGF-93020]

  • It is now possible to enforce minimum endpoint settings via Firewall Admin that VPN clients must comply to if they want to remotely connect. [BNNGF-94183]

  • In Firewall Admin, all tabs (VPN, ATP, DHCP,...) and their subtabs can be accessed as expected after logging into the box using OTP with a session password. [BNNGF-94393]

  • After the update to 8.3.4, ‘-' is the only special character that is allowed to be used in firewall section names. [BNNGF-94617]

Barracuda OS
  • xDSL and PPoE options are now present on VCF models. [BNNGF-93600]

  • The status of interfaces is now displayed correctly in the DASHBAORD. [BNNGF-94097]

  • The certificates for Apple Push notification have been renewed. [BNNGF-94103]

  • A firewall as part of an HA pair no longer detects its counterpart as unknown. [BNNGF-94287]

  • OpenSSH has been updated to version 9.8.p1. [BNNGF-94737]

  • ART creates the SSH socket as expected. [BNNGF-94877]

Cloud General
  • New command line options have been added for handling mounts and for initiating a reboot. [BNNGF-93619]

Cloud Azure
  • The waagent lease file is now created as expected on non-DHCP boxes. [BNNGF-94798]

Control Center
  • The trustzone sync no longer stops syncing information in certain situations. [BNNGF-91358]

  • When executing a script for remote execution that includes the string 'BOX' with capital letters in the name, the script now executes flawlessly. [BNNGF-93752]

DHCP
  • Multi-homing no longer causes issues with relay agent IP addresses. [BNNGF-90960]

  • DHCPv6 relay now forwards requests on all available interfaces. [BNNGF-93780]

Firewall
  • SSL Inspection no longer fails for new connections after a longer period. [BNNGF-91043]

  • Flood ping protection thresholds now work as expected. [BNNGF-91605]

  • Websites are now blocked correctly (URL filter, TLS encryption) on old browsers like Internet Explorer. [BNNGF-92965]

  • The OP-SRV-VPN-DYNIF rule now works correctly if xDSL is used. [BNNGF-93253]

  • After a reboot, the firewall no longer writes call traces to the logs that are related to the offloading settings in Azure boxes. Warnings, errors, and other information are written to the log as expected. [BNNGF-93282]

  • Referencing Global Firewall Objects for TLS Inspection by cluster firewalls now works as expected. [BNNGF-93282]

  • Compatibility issues have been fixed in URL Filtering, Application Detection, and TLS Inspection when using recent versions of Chrome and Firefox that use the Kyber TLS key encapsulation mechanism. [BNNGF-93365]

  • Improvements have been made to shaping performance. [BNNGF-93377]

  • A new user agent was added that matches the Microsoft CryptoAPI. [BNNGF-93822]

  • The detection of MS Office files has been improved. [BNNGF-93824]

  • tap3 no longer crashes during archive scanning. [BNNGF-93956]

  • The MS Teams application now works as expected. [BNNGF-94130]

  • TCP Sessions are no longer blocked erroneously. [BNNGF-94304]

  • DOCX files are no longer identified as Microsoft Publisher data files. [BNNGF-94334]

  • The HA-sync port 688 is now allowed in the host firewall ruleset. [BNNGF-94406]

  • The sharefile app no longer contains non-permitted domains. [BNNGF-94425]

  • Weaknesses addressed by “CVE-2002-20001, CVE-2022-40735 - Diffie-Hellman key agreement protocol” have been removed. [BNNGF-94506]

  • Fixes a race condition in the firewall bridge that caused a dead lock on a certain CPU. [BNNGF-94602]

  • Application Control no longer slows down web traffic. [BNNGF-95197]

HTTP Proxy
  • Exchange authentication over the reverse proxy now works as expected. [BNNGF-90426]

  • The HTTP proxy has been updated to version 6.12. [BNNGF-95376]

Virus Scanner
  • Anti-virus timeouts no longer occur. [BNNGF-92968]

  • On a secondary box, the folder 'virusfree' gets emptied as expected. [BNNGF-94202]

  • The anti-virus service no longer becomes unresponsive in certain situations. [BNNGF-94853]

VPN
  • Wi-Fi traffic is moved into a VPN tunnel as expected. [BNNGF-90957]

  • The firewall no longer experiences unexpected high CPU loads with a large number of VPN tunnels. [BNNGF-91223]

  • Unexpected memory consumption no longer occurs when running dynmesh tunnels. [BNNGF-92578]

  • Client-to-site VPN with RADIUS MFA now works as expected. [BNNGF-92696]

  • SSL VPN License Count now works as expected. [BNNGF-92964]

  • KTINA frees C2S IP addresses as expected. [BNNGF-94374]

  • The error message VPN shaping not licensed no longer occurs in certain situations. [BNNGF-94376]

  • The ‘MainTable Routing’ setting will be ignored for IPsec tunnels, and the ‘MainTable Routing’ setting will be ignored for IKEv2 tunnels with one tunnel per subnet. [BNNGF-94561]

know_issues_tiny.png

Known Issues in Release 8.3.4

Known Issues Related to CGF Policy Profiles
  • IMPORTANT – Policy profiles cannot be used on a VPN concentrator or Secure Access Controller!

  • Firewall – If a VPN TINA tunnel transport over a specific ISP goes down, the Internet traffic over the same ISP link will not work either.    [BNNGF-81749]

  • Provider class in boxnet must not be changed "afterward" unless existing VPN tunnels are reconfigured accordingly.

  • There is currently no VRF support for policies in 8.3.4.

Known Issues Related to Other Topics
  • Currently, no RCS information is logged for Named Networks.    [BNNGF-47097]

  • The learn-only mode for OSPF is not working as expected.    [BNNGF-65299]

  • Barracuda OS - SNMP does not currently indicate the issue if a power supply unit (PSU) is down. [BNNGF-95463]

  • Control Center – The CC Event daemon refuses connections after an update with the error “access denied”. [BNNGF-95350]
    Workaround: Restart the CC Event service manually, and it will operate as expected.

  • Firewall – Inspecting traffic for QUIC / UDP 443 is currently not supported.    [BNNGF-74540]

  • Firewall – SSL inspection breaks on Office 365 admin page with TLS 1.3.    [BNNGF-83026]

    NOTE: If a contacted server does not support at least the configured minimum TLS version, then no connections to that server will be possible. Connections will be reset. This can especially have an impact on embedded frames or Cross-Origin Resource Sharing (CORS) when those servers do not support the same TLS version as the main site.

    For troubleshooting:
    Turn Box > Infrastructure Services > General Firewall Configuration > Advanced Log Settings > SSL/TLS loglevel to debug.
    Look out for "alert protocol version" in SSL logs (Assigned Services > NGFW > SSL), e.g.:

    11.04.2022 15:36:46 Info firewall: [TAP3Worker] Worker 1: Session 1271: SSL handshake to server failed: ID 2400 192.168.100.95:54525 <=> 104.103.84.247:443 assets.onestore.ms: error in OpenSSL library: error:0A00042E:SSL routines::tlsv1 alert protocol version